Executive Summary
Summary | |
---|---|
Title | Updated xen packages fix multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | MDKSA-2007:203 | First vendor Publication | 2007-11-01 |
Vendor | Mandriva | Last vendor Modification | 2007-11-01 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Tavis Ormandy discovered a heap overflow flaw during video-to-video copy operations in the Cirrus VGA extension code that is used in Xen. A malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1320). Tavis Ormandy also discovered insufficient input validation leading to a heap overflow in the NE2000 network driver in Xen. If the driver is in use, a malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1321, CVE-2007-5729, CVE-2007-5730). Steve Kemp found that xen-utils used insecure temporary files within the xenmon tool that could allow local users to truncate arbitrary files (CVE-2007-3919). Joris van Rantwijk discovered a flaw in Pygrub, which is used as a boot loader for guest domains. A malicious local administrator of a guest domain could create a carefully-crafted grub.conf file which could trigger the execution of arbitrary code outside of that domain (CVE-2007-4993). Updated packages have been patched to prevent these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDKSA-2007:203 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
40 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
20 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
20 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
20 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10000 | |||
Oval ID: | oval:org.mitre.oval:def:10000 | ||
Title: | Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. | ||
Description: | Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5730 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:10315 | |||
Oval ID: | oval:org.mitre.oval:def:10315 | ||
Title: | Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. | ||
Description: | Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1320 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11240 | |||
Oval ID: | oval:org.mitre.oval:def:11240 | ||
Title: | pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements. | ||
Description: | pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-4993 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17613 | |||
Oval ID: | oval:org.mitre.oval:def:17613 | ||
Title: | USN-527-1 -- xen-3.0 vulnerability | ||
Description: | Joris van Rantwijk discovered that the Xen host did not correctly validate the contents of a Xen guests's grug.conf file. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-527-1 CVE-2007-4993 | Version: | 7 |
Platform(s): | Ubuntu 7.04 | Product(s): | xen-3.0 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18680 | |||
Oval ID: | oval:org.mitre.oval:def:18680 | ||
Title: | DSA-1395-1 xen-3.0 - insecure temporary files | ||
Description: | Steve Kemp from the Debian Security Audit project discovered that xen-utils, a collection of XEN administrative tools, used temporary files insecurely within the xenmon tool allowing local users to truncate arbitrary files. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1395-1 CVE-2007-3919 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xen-3.0 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20455 | |||
Oval ID: | oval:org.mitre.oval:def:20455 | ||
Title: | DSA-1384-1 xen-3.0 | ||
Description: | Several local vulnerabilities have been discovered in the Xen hypervisor packages which may lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1384-1 CVE-2007-4993 CVE-2007-1320 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xen-3.0 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22666 | |||
Oval ID: | oval:org.mitre.oval:def:22666 | ||
Title: | ELSA-2007:0323: xen security update (Important) | ||
Description: | pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0323-01 CVE-2007-1320 CVE-2007-1321 CVE-2007-4993 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | xen |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9302 | |||
Oval ID: | oval:org.mitre.oval:def:9302 | ||
Title: | Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. | ||
Description: | Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-1321 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9913 | |||
Oval ID: | oval:org.mitre.oval:def:9913 | ||
Title: | (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm. | ||
Description: | (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3919 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 3 | |
Os | 2 | |
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2009-04-09 | Name : Mandriva Update for qemu MDVSA-2008:162 (qemu) File : nvt/gb_mandriva_MDVSA_2008_162.nasl |
2009-04-09 | Name : Mandriva Update for xen MDKSA-2007:203 (xen) File : nvt/gb_mandriva_MDKSA_2007_203.nasl |
2009-03-23 | Name : Ubuntu Update for xen-3.0 vulnerability USN-527-1 File : nvt/gb_ubuntu_USN_527_1.nasl |
2009-03-06 | Name : RedHat Update for xen RHSA-2008:0194-01 File : nvt/gb_RHSA-2008_0194-01_xen.nasl |
2009-02-27 | Name : Fedora Update for xen FEDORA-2007-2270 File : nvt/gb_fedora_2007_2270_xen_fc7.nasl |
2009-02-27 | Name : Fedora Update for xen FEDORA-2007-2708 File : nvt/gb_fedora_2007_2708_xen_fc7.nasl |
2009-02-27 | Name : Fedora Update for xen FEDORA-2007-713 File : nvt/gb_fedora_2007_713_xen_fc6.nasl |
2009-02-27 | Name : Fedora Update for xen FEDORA-2007-737 File : nvt/gb_fedora_2007_737_xen_fc6.nasl |
2009-02-17 | Name : Fedora Update for kvm FEDORA-2008-4386 File : nvt/gb_fedora_2008_4386_kvm_fc9.nasl |
2009-02-17 | Name : Fedora Update for kvm FEDORA-2008-4604 File : nvt/gb_fedora_2008_4604_kvm_fc8.nasl |
2009-02-17 | Name : Fedora Update for kvm FEDORA-2008-9556 File : nvt/gb_fedora_2008_9556_kvm_fc8.nasl |
2009-02-16 | Name : Fedora Update for kvm FEDORA-2008-10000 File : nvt/gb_fedora_2008_10000_kvm_fc10.nasl |
2009-02-16 | Name : Fedora Update for xen FEDORA-2008-2083 File : nvt/gb_fedora_2008_2083_xen_fc7.nasl |
2009-02-13 | Name : Fedora Update for kvm FEDORA-2008-11705 File : nvt/gb_fedora_2008_11705_kvm_fc9.nasl |
2009-01-20 | Name : SuSE Security Summary SUSE-SR:2009:002 File : nvt/suse_sr_2009_002.nasl |
2008-09-04 | Name : FreeBSD Ports: qemu, qemu-devel File : nvt/freebsd_qemu.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1395-1 (xen-utils) File : nvt/deb_1395_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1384-1 (xen-utils) File : nvt/deb_1384_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1284-1 (qemu) File : nvt/deb_1284_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42986 | QEMU NE2000 Emulator slirp Library Local Overflow |
42985 | QEMU net socket listen Option Local Overflow |
41343 | Xen xenmon.py /tmp/xenq-shm Symlink Arbitrary File Truncation |
41342 | Xen xenbaked /tmp/xenq-shm Symlink Arbitrary File Truncation |
41340 | Xen pygrub (tools/pygrub/src/GrubConf.py) Cross-Domain Arbitrary Command Exec... |
35495 | QEMU NE2000 Network Driver Ethernet Frame Handling Overflow |
35494 | QEMU Cirrus VGA Extension cirrus_invalidate_region Function Multiple Overflows |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-17 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL63519101.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2008-2003.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0194.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0323.nasl - Type : ACT_GATHER_INFO |
2012-09-24 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10083.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080513_xen_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071004_xen_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0194.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0323.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_kvm-090112.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_kvm-090112.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-162.nasl - Type : ACT_GATHER_INFO |
2008-12-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-11705.nasl - Type : ACT_GATHER_INFO |
2008-11-12 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9556.nasl - Type : ACT_GATHER_INFO |
2008-11-03 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_07bb3bd2a92011dd85030211060005df.nasl - Type : ACT_GATHER_INFO |
2008-05-29 | Name : The remote Fedora host is missing a security update. File : fedora_2008-4386.nasl - Type : ACT_GATHER_INFO |
2008-05-29 | Name : The remote Fedora host is missing a security update. File : fedora_2008-4604.nasl - Type : ACT_GATHER_INFO |
2008-05-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0194.nasl - Type : ACT_GATHER_INFO |
2008-02-29 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2083.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote openSUSE host is missing a security update. File : suse_xen-4616.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-527-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2708.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2270.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-737.nasl - Type : ACT_GATHER_INFO |
2007-11-02 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2007-203.nasl - Type : ACT_GATHER_INFO |
2007-10-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1395.nasl - Type : ACT_GATHER_INFO |
2007-10-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1384.nasl - Type : ACT_GATHER_INFO |
2007-10-09 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-713.nasl - Type : ACT_GATHER_INFO |
2007-10-03 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0323.nasl - Type : ACT_GATHER_INFO |
2007-05-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1284.nasl - Type : ACT_GATHER_INFO |
2007-05-02 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_0ac89b39f82911dbb55c000e0c6d38a9.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:57 |
|